From 28707fa0f364e82fd3aaccf01255b53bf4080c0b Mon Sep 17 00:00:00 2001 From: RubenD96 Date: Wed, 7 Apr 2021 17:26:49 +0200 Subject: [PATCH] Fix exploit for invalid skill macro name length --- .../channel/handlers/SkillMacroHandler.java | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/main/java/net/server/channel/handlers/SkillMacroHandler.java b/src/main/java/net/server/channel/handlers/SkillMacroHandler.java index 148d93a986..d071b74b56 100644 --- a/src/main/java/net/server/channel/handlers/SkillMacroHandler.java +++ b/src/main/java/net/server/channel/handlers/SkillMacroHandler.java @@ -21,24 +21,35 @@ */ package net.server.channel.handlers; +import client.MapleCharacter; import client.MapleClient; import client.SkillMacro; -import tools.data.input.SeekableLittleEndianAccessor; +import client.autoban.AutobanFactory; import net.AbstractMaplePacketHandler; +import tools.data.input.SeekableLittleEndianAccessor; public final class SkillMacroHandler extends AbstractMaplePacketHandler { - + @Override public final void handlePacket(SeekableLittleEndianAccessor slea, MapleClient c) { + MapleCharacter chr = c.getPlayer(); int num = slea.readByte(); + if (num > 5) return; + for (int i = 0; i < num; i++) { String name = slea.readMapleAsciiString(); + if (name.length() > 12) { + AutobanFactory.PACKET_EDIT.alert(chr, "Invalid name length " + name + " (" + name.length() + ") for skill macro."); + c.disconnect(false, false); + break; + } + int shout = slea.readByte(); int skill1 = slea.readInt(); int skill2 = slea.readInt(); int skill3 = slea.readInt(); SkillMacro macro = new SkillMacro(skill1, skill2, skill3, name, shout, i); - c.getPlayer().updateMacros(i, macro); + chr.updateMacros(i, macro); } } }